Need advice on migrating firewalls to active/active setup

spfister336 · ‎10-08-2020

We have a 6509e as the core of our network. Connected to this are a pair of ASA 5585-Xs acting as a firewall. These are currently in an active/standby setup. Lately, in the mornings especially, we seem to be hitting the limit of how much traffic these can handle. We would like to migrate over to active/active to distribute the load better. As far as I can tell, we have a license for active/active. Currently, there's a single default route pointing to the active firewall's inside address.

How is this normally done? Is it common to use a FHRP like GLBP? I'm really hoping to not have to redesign the whole network.

balaji.bandi · ‎10-08-2020

Make sure you have clarity on Active / Active Firewall

ASA Active / Active FW means Multi-Context default

That means :

Context A

FW1- Active - FW2 Standby

Context B

FW -Standby FW2 -- Active

So the end is Active-Standby - is this your requirement?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

spfister336 · ‎10-08-2020

My main goal is to distribute the load. One ASA is hitting capacity (not constantly, but enough that end-users are noticing), and one isn't doing anything. They have SSP-20 in both. We could look at replacing them, but since we appear to have licenses for active/active, I thought I'd look at this first.